Secure Virtual Domain Controller using BitLocker Encryption

Hi, today’s topic is about securing virtual domain controller using BitLocker Encryption.

Virtual domain controller is sometimes at critical risk where the VHD folders can be copied and placed to another. Of course nowadays, by using BitLocker Encryption might be useful and one factor to secure our production environment.

hyper-nomdc

Moreover, the very best friend comes out with BitLocker encryption on more enhancing technology is the Trust Platform Module (TPM) where you can find in the BIOS motherboard itself.

In my lab environment, I run my host hyper-V in my lenovo thinkpad. To secure the virtual domain controller is by enabling the BitLocker Encryption on the host of the virtual machine.

Simple to do:

  1. I enable the TPM / security chip at the bios setup. I am very fortunate the Lenovo has the tools to check. You may download it here. You can here the setting is Active. that’s mean the TPM is enabled.
    tpm-is-active
  2. After that, you need to add features BitLocker encryption at the host hyper-v. you may need to restart the server.
    enable-bitlocker
  3. On control panel, you manage your bitlocker on which volume drive you need to turn on. on the screenshot below, I turn on the bitlocker on my operating system. because the virtual machine folders are located at default. you may relocate your virtual machine folder in different drive and you turn on the bitlocker on the drive that you locate the VM VHD/VHDX files.
    bitcontrolpanel

Reset password of Lost Password Windows Server 2012 / R2

I would like to cover this topic since it is essential and important for the system administrator.

The system administrator should aware that the lost password can be happened at anytime if we manage bulk servers especially the standalone server or non join domain to active directory.

So the step is straight forward and simple.

Step 1: Boot the System using Bootable DVD of Windows Server 2012

Boot the server or your system and insert the Bootable DVD/CD of Windows Server 2012 / R2. Click Next button.

1

then, click the ‘Repair your computer’.

1b

 

Step 2: Run the Command Prompt from Advanced Option.

At the option menu, click the ‘TroubleShoot’ menu.

2

At the Advanced Option, choose Command Prompt.

3

At the Command Prompt,

Step 3: Rename and Copy UtilMan.exe

Rename the old utilman.exe to utilman.exe.old

6

Copy the utilman.exe by running the command

“Copy cmd.exe utilman.exe”

7

after that, close and reboot it.

Step 4: Boot and Press Windows button Keyboard + U at Logon Screen.

While Rebooting the server and let the Windows Logo Appear. After that press the Windows button at your keyboard plus pressing the U.  windowbutton   + U

 

Step 5: Reset the administrator password using Net User Command Prompt.

When you press windows key + U button, the command prompt will be appeared.

then, type the command below

Net User Administrator YourPassw0rd

11

 

Finally,reboot your system and log on using the new password.

Secure Your Infrastructure with Least Privileges

Hi,

I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.

 

Attachment:

Requirement Privilege Document

Assign Static IP Address in Domain Controller Virtual Machine Azure

Hi,

I would like to share you some information on how to assign the static IP Address in virtual machine Azure where some of the VMs need static IP Address such as Domain controller.

We need to use Azure Powershell to configure the the static IP Address.

Firstly, We need to use Test-AzureStaticVNetIP.

Type the command: For example, Test-AzureStatic -VNetName ‘TestNetwork’ -IPAddress ‘10.0.0.10’. if the operationstatus is succeeded, that means we can use the IP address.

Type the command : Get-VMAzure -ServiceName ‘Nom-DC1’ -Name ‘NOM-DC1’. This is to verify the IP Address of the VM which were assigned by DHCP. Here the IpAddress value is 10.0.0.4get-azurevm1

Then after that, we need to assign the IP address from 10.0.0.4 (by DHCP) to static ip address 10.0.0.10

Type the command:

Get-AzureVM -ServiceName ‘Nom-DC1’ -Name ‘Nom-DC1 | Set-AzureStaticVNetIP -IPAddress ‘10.0.0.10’ | Update-AzureVM

get-azurevm2

Then verify it by typing “get-azurevm -servicename ‘nom-dc1’ -name ‘nom-dc1’. You see the IP address have changed to 10.0.10 and the powerstate is ‘starting’

get-azurevm3